LANDFALL Android Malware Exploits Samsung Zero-Day via Malicious WhatsApp Image

Cybersecurity researchers at Palo Alto Networks’ Unit 42 have discovered a sophisticated Android spyware campaign that exploited a critical zero-day vulnerability in Samsung Galaxy devices through malicious images sent via WhatsApp.

The previously unknown malware family, dubbed LANDFALL, leveraged CVE-2025-21042 a crucial vulnerability in Samsung’s image processing library to conduct advanced surveillance operations targeting individuals in the Middle East.

The LANDFALL spyware campaign began operating in mid-2024, months before Samsung patched the vulnerability in April 2025. Attackers embedded malicious code within specially crafted DNG (Digital Negative) image files that appeared as ordinary WhatsApp images, with filenames like “WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg” that suggested delivery via the popular messaging platform.

This attack method closely mirrors exploit chains previously observed targeting Apple iOS devices. The vulnerability resided in Samsung’s libimagecodec.quram.so library, allowing attackers to execute code when victims’ devices automatically processed the malformed image files.

The exploit potentially enabled zero-click remote code execution, meaning victims could be compromised without any interaction beyond receiving the image.

Unit 42 researchers discovered the campaign while investigating a parallel iOS exploit chain disclosed in August 2025. Their analysis revealed six samples of malicious DNG files uploaded to VirusTotal between July 2024 and February 2025, containing embedded ZIP archives with the spyware components.

LANDFALL Android Malware

LANDFALL demonstrates characteristics consistent with commercial spyware developed by private sector offensive actors (PSOAs). The malware specifically targets Samsung Galaxy flagship models including the S22, S23 and S24 series, as well as Z Fold4 and Z Flip4 devices.

The b.so component of LANDFALL communicates with its C2 server over HTTPS using a non-standard, ephemeral TCP port. 

The spyware’s capabilities are extensive and include microphone recording, call interception, location tracking, and collection of photos, contacts, call logs, SMS messages and browsing history.

LANDFALL also features sophisticated evasion techniques to detect debugging tools, instrumentation frameworks, and security analysis environments.

Analysis of the malware’s infrastructure revealed potential connections to Middle Eastern threat actors. The spyware shares infrastructure patterns with the Stealth Falcon group, a known PSOA operating in the UAE.

Additionally, LANDFALL’s technical characteristics particularly its use of the term “Bridge Head” for its loader component suggest possible links to the Variston spyware framework, which reportedly supplied tools to UAE-based entities.

Highlighting Ongoing Threats

Samsung patched CVE-2025-21042 in April 2025 after receiving reports of in-the-wild exploitation. In September 2025, the company addressed another related vulnerability, CVE-2025-21043, in the same image processing library. Current Samsung users with updated firmware are protected against these specific attacks.

Interpretation of this initial POST request, where we use curl to show how this request would be structured.

The discovery underscores a concerning trend of DNG image processing vulnerabilities being exploited across mobile platforms.

Apple patched a similar zero-day vulnerability (CVE-2025-43300) in August 2025, while WhatsApp addressed CVE-2025-55177, which was chained with the Apple vulnerability for sophisticated attacks on iOS devices.

Palo Alto Networks customers receive protection through Advanced WildFire, Advanced URL Filtering, Advanced DNS Security and Advanced Threat Prevention products. Organizations concerned about potential compromise should contact Unit 42’s Incident Response team for assistance.

The LANDFALL campaign, tracked by Unit 42 as CL-UNK-1054, remained undetected for months despite active exploitation, highlighting the sophisticated nature of modern commercial spyware operations and the ongoing challenges in detecting advanced mobile threats.

Indicators of Compromise

SHA256 Hash	Filename	Size
b06dec10e8ad0005ebb9da24204c96cb2e297bd8d418bc1c8983d066c0997756	img-20250120-wa0005.jpg	6.66 MB
c0f30c2a2d6f95b57128e78dc0b7180e69315057e62809de1926b75f86516b2e	2.tiff	6.58 MB
9297888746158e38d320b05b27b0032b2cc29231be8990d87bc46f1e06456f93	whatsapp image 2025-02-10 at 4.54.17 pm.jpeg	6.66 MB
d2fafc7100f33a11089e98b660a85bd479eab761b137cca83b1f6d19629dd3b0	b.so	103.31 KB
384f073d3d51e0f2e1586b6050af62de886ff448735d963dfc026580096d81bd	(unknown)	103.31 KB
b975b499baa3119ac5c2b3379306d4e50b9610e9bba3e56de7dfd3927a96032d	1.jpeg	5.66 MB
a62a2400bf93ed84ebadf22b441924f904d3fcda7d1507ba309a4b1801d44495	(unknown)	103.31 KB
29882a3c426273a7302e852aa77662e168b6d44dcebfca53757e29a9cdf02483	img-20240723-wa0001.jpg	6.58 MB
2425f15eb542fca82892fd107ac19d63d4d112ddbfe698650f0c25acf6f8d78a	6357fc.zip	380.71 KB
b45817ffb0355badcc89f2d7d48eecf00ebdf2b966ac986514f9d971f6c57d18	img-20240723-wa0000.jpg	5.65 MB
69cf56ac6f3888efa7a1306977f431fd1edb369a5fd4591ce37b72b7e01955ee	localfile~	1.42 MB
211311468f3673f005031d5f77d4d716e80cbf3c1f0bb1f148f2200920513261	l	332.88 KB
ffeeb0356abb56c5084756a5ab0a39002832403bca5290bb6d794d14b642ffe2	(unknown)	103.31 KB

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.

The post LANDFALL Android Malware Exploits Samsung Zero-Day via Malicious WhatsApp Image appeared first on Cyber Security News.